Permanent corpus · MITRE ATT&CK × thrunt signal × detection coverage
ATT&CK Signal Rollup
Which ATT&CK techniques are showing up in the thrunt corpus — cited in recent MISP threat reports, mapped from CISA KEV CVEs — and where detection coverage stands, counting both SigmaHQ community rules and our own. The full catalogue lives at attack.mitre.org; this page answers the question neither MITRE's flat catalogue nor the rule firehose can: which techniques are hot in live signal right now and covered by no one. Rows marked gap are the hand-authoring queue.
- Techniques with signal
- 152
- Coverage gaps
- 18
- MISP citations
- 1
- KEV CVE mappings
- 1171
- Community rules
- 2780
- thrunt rules
- 3
| ID | Technique | Tactic | MISP | KEV | Community | thrunt | Coverage |
|---|---|---|---|---|---|---|---|
T1059 | Command and Scripting Interpreter | Execution | 0 | 170 | 93 | 0 | community |
T1190 | Exploit Public-Facing Application | Initial Access | 0 | 157 | 146 | 0 | community |
T1068 | Exploitation for Privilege Escalation | Privilege Escalation | 0 | 69 | 28 | 0 | community |
T1005 | Data from Local System | Collection | 0 | 46 | 14 | 0 | community |
T1078 | Valid Accounts | Stealth, Persistence, Privilege Escalation, Initial Access | 0 | 46 | 55 | 0 | community |
T1203 | Exploitation for Client Execution | Execution | 0 | 43 | 33 | 0 | community |
T1105 | Ingress Tool Transfer | Command and Control | 0 | 35 | 87 | 0 | community |
T1204.002 | Malicious File | Execution | 0 | 33 | 36 | 0 | community |
T1505.003 | Web Shell | Persistence | 0 | 26 | 34 | 0 | community |
T1133 | External Remote Services | Persistence, Initial Access | 0 | 25 | 20 | 0 | community |
T1189 | Drive-by Compromise | Initial Access | 0 | 21 | 3 | 0 | community |
T1055 | Process Injection | Stealth, Privilege Escalation | 0 | 19 | 35 | 0 | community |
T1496 | Resource Hijacking | Impact | 0 | 19 | 13 | 0 | community |
T1003 | OS Credential Dumping | Credential Access | 0 | 18 | 36 | 0 | community |
T1574 | Hijack Execution Flow | Stealth, Execution | 0 | 16 | 8 | 0 | community |
T1486 | Data Encrypted for Impact | Impact | 0 | 15 | 16 | 0 | community |
T1059.004 | Unix Shell | Execution | 0 | 14 | 18 | 0 | community |
T1059.007 | JavaScript | Execution | 0 | 14 | 23 | 0 | community |
T1041 | Exfiltration Over C2 Channel | Exfiltration | 0 | 12 | 5 | 0 | community |
T1204.001 | Malicious Link | Execution | 0 | 11 | 4 | 0 | community |
T1608.001 | Upload Malware | Resource Development | 0 | 11 | 0 | 0 | gap |
T1071.001 | Web Protocols | Command and Control | 0 | 10 | 41 | 0 | community |
T1136 | Create Account | Persistence | 0 | 10 | 3 | 0 | community |
T1202 | Indirect Command Execution | Stealth | 0 | 9 | 40 | 0 | community |
T1543 | Create or Modify System Process | Persistence, Privilege Escalation | 0 | 9 | 9 | 0 | community |
T1555 | Credentials from Password Stores | Credential Access | 0 | 9 | 8 | 0 | community |
T1498 | Network Denial of Service | Impact | 0 | 8 | 3 | 0 | community |
T1046 | Network Service Discovery | Discovery | 0 | 7 | 20 | 0 | community |
T1082 | System Information Discovery | Discovery | 0 | 7 | 33 | 0 | community |
T1106 | Native API | Execution | 0 | 7 | 14 | 0 | community |
T1499 | Endpoint Denial of Service | Impact | 0 | 7 | 2 | 0 | community |
T1566.001 | Spearphishing Attachment | Initial Access | 0 | 7 | 24 | 0 | community |
T1566.002 | Spearphishing Link | Initial Access | 1 | 5 | 3 | 1 | t1566-002-luxembourg-hospitality-sms-phish |
T1059.003 | Windows Command Shell | Execution | 0 | 6 | 45 | 0 | community |
T1087 | Account Discovery | Discovery | 0 | 6 | 16 | 0 | community |
T1091 | Replication Through Removable Media | Lateral Movement, Initial Access | 0 | 6 | 1 | 0 | community |
T1485 | Data Destruction | Impact | 0 | 6 | 20 | 0 | community |
T1566 | Phishing | Initial Access | 0 | 6 | 14 | 0 | community |
T1027 | Obfuscated Files or Information | Stealth | 0 | 5 | 94 | 0 | community |
T1070.004 | File Deletion | Stealth | 0 | 5 | 15 | 0 | community |
T1083 | File and Directory Discovery | Discovery | 0 | 5 | 24 | 0 | community |
T1087.002 | Domain Account | Discovery | 0 | 5 | 21 | 0 | community |
T1003.001 | LSASS Memory | Credential Access | 0 | 4 | 79 | 0 | community |
T1011 | Exfiltration Over Other Network Medium | Exfiltration | 0 | 4 | 0 | 0 | gap |
T1021 | Remote Services | Lateral Movement | 0 | 4 | 10 | 0 | community |
T1037 | Boot or Logon Initialization Scripts | Persistence, Privilege Escalation | 0 | 3 | 0 | 1 | t1037-linux-init-script-modification |
T1048 | Exfiltration Over Alternative Protocol | Exfiltration | 0 | 4 | 11 | 0 | community |
T1112 | Modify Registry | Defense Impairment, Persistence | 0 | 4 | 94 | 0 | community |
T1210 | Exploitation of Remote Services | Lateral Movement | 0 | 4 | 15 | 0 | community |
T1212 | Exploitation for Credential Access | Credential Access | 0 | 4 | 5 | 0 | community |
T1497 | Virtualization/Sandbox Evasion | Stealth, Discovery | 0 | 4 | 0 | 0 | gap |
T1548 | Abuse Elevation Control Mechanism | Privilege Escalation | 0 | 4 | 23 | 0 | community |
T1550.002 | Pass the Hash | Lateral Movement | 0 | 4 | 5 | 0 | community |
T1552 | Unsecured Credentials | Credential Access | 0 | 4 | 13 | 0 | community |
T1557 | Adversary-in-the-Middle | Credential Access, Collection | 0 | 4 | 10 | 0 | community |
T1003.003 | NTDS | Credential Access | 0 | 3 | 24 | 0 | community |
T1056 | Input Capture | Collection, Credential Access | 0 | 3 | 2 | 0 | community |
T1070 | Indicator Removal | Stealth | 0 | 3 | 20 | 0 | community |
T1090 | Proxy | Command and Control | 0 | 3 | 22 | 0 | community |
T1114 | Email Collection | Collection | 0 | 3 | 4 | 0 | community |
T1185 | Browser Session Hijacking | Collection | 0 | 3 | 2 | 0 | community |
T1221 | Template Injection | Stealth | 0 | 3 | 2 | 0 | community |
T1552.001 | Credentials In Files | Credential Access | 0 | 3 | 24 | 0 | community |
T1558 | Steal or Forge Kerberos Tickets | Credential Access | 0 | 3 | 5 | 0 | community |
T1567 | Exfiltration Over Web Service | Exfiltration | 0 | 3 | 12 | 0 | community |
T1573.001 | Symmetric Cryptography | Command and Control | 0 | 3 | 0 | 0 | gap |
T1611 | Escape to Host | Privilege Escalation | 0 | 3 | 2 | 0 | community |
T1001 | Data Obfuscation | Command and Control | 0 | 2 | 0 | 0 | gap |
T1018 | Remote System Discovery | Discovery | 0 | 2 | 17 | 0 | community |
T1021.001 | Remote Desktop Protocol | Lateral Movement | 0 | 2 | 16 | 0 | community |
T1021.004 | SSH | Lateral Movement | 0 | 2 | 5 | 0 | community |
T1033 | System Owner/User Discovery | Discovery | 0 | 2 | 30 | 0 | community |
T1036 | Masquerading | Stealth | 0 | 2 | 40 | 0 | community |
T1040 | Network Sniffing | Credential Access, Discovery | 0 | 2 | 9 | 0 | community |
T1047 | Windows Management Instrumentation | Execution | 0 | 2 | 51 | 0 | community |
T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation | 0 | 2 | 12 | 0 | community |
T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation | 0 | 2 | 51 | 0 | community |
T1098 | Account Manipulation | Persistence, Privilege Escalation | 0 | 2 | 32 | 0 | community |
T1098.004 | SSH Authorized Keys | Persistence, Privilege Escalation | 0 | 1 | 0 | 1 | t1098-004-ssh-authorized-keys-write |
T1110 | Brute Force | Credential Access | 0 | 2 | 25 | 0 | community |
T1136.001 | Local Account | Persistence | 0 | 2 | 16 | 0 | community |
T1140 | Deobfuscate/Decode Files or Information | Stealth | 0 | 2 | 18 | 0 | community |
T1195.002 | Compromise Software Supply Chain | Initial Access | 0 | 2 | 15 | 0 | community |
T1204 | User Execution | Execution | 0 | 2 | 10 | 0 | community |
T1213 | Data from Information Repositories | Collection | 0 | 2 | 7 | 0 | community |
T1218 | System Binary Proxy Execution | Stealth | 0 | 2 | 153 | 0 | community |
T1482 | Domain Trust Discovery | Discovery | 0 | 2 | 17 | 0 | community |
T1490 | Inhibit System Recovery | Impact | 0 | 2 | 27 | 0 | community |
T1495 | Firmware Corruption | Impact | 0 | 2 | 1 | 0 | community |
T1499.002 | Service Exhaustion Flood | Impact | 0 | 2 | 0 | 0 | gap |
T1499.004 | Application or System Exploitation | Impact | 0 | 2 | 3 | 0 | community |
T1505 | Server Software Component | Persistence | 0 | 2 | 1 | 0 | community |
T1530 | Data from Cloud Storage | Collection | 0 | 2 | 0 | 0 | gap |
T1553.005 | Mark-of-the-Web Bypass | Defense Impairment | 0 | 2 | 6 | 0 | community |
T1556 | Modify Authentication Process | Defense Impairment, Persistence, Credential Access | 0 | 2 | 12 | 0 | community |
T1560.001 | Archive via Utility | Collection | 0 | 2 | 17 | 0 | community |
T1565 | Data Manipulation | Impact | 0 | 2 | 3 | 0 | community |
T1565.001 | Stored Data Manipulation | Impact | 0 | 2 | 6 | 0 | community |
T1584.005 | Botnet | Resource Development | 0 | 2 | 0 | 0 | gap |
T1588.001 | Malware | Resource Development | 0 | 2 | 1 | 0 | community |
T1592 | Gather Victim Host Information | Reconnaissance | 0 | 2 | 0 | 0 | gap |
T1622 | Debugger Evasion | Stealth, Discovery | 0 | 2 | 1 | 0 | community |
T1003.008 | /etc/passwd and /etc/shadow | Credential Access | 0 | 1 | 0 | 0 | gap |
T1007 | System Service Discovery | Discovery | 0 | 1 | 11 | 0 | community |
T1016 | System Network Configuration Discovery | Discovery | 0 | 1 | 11 | 0 | community |
T1036.005 | Match Legitimate Resource Name or Location | Stealth | 0 | 1 | 21 | 0 | community |
T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration | 0 | 1 | 9 | 0 | community |
T1049 | System Network Connections Discovery | Discovery | 0 | 1 | 9 | 0 | community |
T1055.001 | Dynamic-link Library Injection | Stealth, Privilege Escalation | 0 | 1 | 8 | 0 | community |
T1055.012 | Process Hollowing | Stealth, Privilege Escalation | 0 | 1 | 5 | 0 | community |
T1056.001 | Keylogging | Collection, Credential Access | 0 | 1 | 3 | 0 | community |
T1059.001 | PowerShell | Execution | 0 | 1 | 219 | 0 | community |
T1069 | Permission Groups Discovery | Discovery | 0 | 1 | 3 | 0 | community |
T1071 | Application Layer Protocol | Command and Control | 0 | 1 | 7 | 0 | community |
T1071.002 | File Transfer Protocols | Command and Control | 0 | 1 | 0 | 0 | gap |
T1078.003 | Local Accounts | Stealth, Persistence, Privilege Escalation, Initial Access | 0 | 1 | 5 | 0 | community |
T1078.004 | Cloud Accounts | Stealth, Persistence, Privilege Escalation, Initial Access | 0 | 1 | 40 | 0 | community |
T1087.001 | Local Account | Discovery | 0 | 1 | 13 | 0 | community |
T1090.001 | Internal Proxy | Command and Control | 0 | 1 | 6 | 0 | community |
T1114.002 | Remote Email Collection | Collection | 0 | 1 | 0 | 0 | gap |
T1119 | Automated Collection | Collection | 0 | 1 | 5 | 0 | community |
T1134.001 | Token Impersonation/Theft | Stealth, Privilege Escalation | 0 | 1 | 9 | 0 | community |
T1195 | Supply Chain Compromise | Initial Access | 0 | 1 | 1 | 0 | community |
T1199 | Trusted Relationship | Initial Access | 0 | 1 | 1 | 0 | community |
T1211 | Exploitation for Stealth | Stealth | 0 | 1 | 4 | 0 | community |
T1217 | Browser Information Discovery | Discovery | 0 | 1 | 4 | 0 | community |
T1219 | Remote Access Tools | Command and Control | 0 | 1 | 6 | 0 | community |
T1222 | File and Directory Permissions Modification | Defense Impairment | 0 | 1 | 2 | 0 | community |
T1484.001 | Group Policy Modification | Defense Impairment, Privilege Escalation | 0 | 1 | 6 | 0 | community |
T1489 | Service Stop | Impact | 0 | 1 | 20 | 0 | community |
T1491.002 | External Defacement | Impact | 0 | 1 | 0 | 0 | gap |
T1498.001 | Direct Network Flood | Impact | 0 | 1 | 0 | 0 | gap |
T1528 | Steal Application Access Token | Credential Access | 0 | 1 | 14 | 0 | community |
T1531 | Account Access Removal | Impact | 0 | 1 | 9 | 0 | community |
T1542.005 | TFTP Boot | Stealth, Persistence | 0 | 1 | 0 | 0 | gap |
T1547 | Boot or Logon Autostart Execution | Persistence, Privilege Escalation | 0 | 1 | 7 | 0 | community |
T1547.001 | Registry Run Keys / Startup Folder | Persistence, Privilege Escalation | 0 | 1 | 39 | 0 | community |
T1547.009 | Shortcut Modification | Persistence, Privilege Escalation | 0 | 1 | 4 | 0 | community |
T1548.001 | Setuid and Setgid | Privilege Escalation | 0 | 1 | 2 | 0 | community |
T1548.002 | Bypass User Account Control | Privilege Escalation | 0 | 1 | 56 | 0 | community |
T1552.004 | Private Keys | Credential Access | 0 | 1 | 7 | 0 | community |
T1557.001 | Name Resolution Poisoning and SMB Relay | Credential Access, Collection | 0 | 1 | 10 | 0 | community |
T1569.002 | Service Execution | Execution | 0 | 1 | 43 | 0 | community |
T1570 | Lateral Tool Transfer | Lateral Movement | 0 | 1 | 6 | 0 | community |
T1571 | Non-Standard Port | Command and Control | 0 | 1 | 5 | 0 | community |
T1588 | Obtain Capabilities | Resource Development | 0 | 1 | 2 | 0 | community |
T1588.006 | Vulnerabilities | Resource Development | 0 | 1 | 0 | 0 | gap |
T1595 | Active Scanning | Reconnaissance | 0 | 1 | 3 | 0 | community |
T1598.002 | Spearphishing Attachment | Reconnaissance | 0 | 1 | 1 | 0 | community |
T1601 | Modify System Image | Defense Impairment | 0 | 1 | 0 | 0 | gap |
T1602 | Data from Configuration Repository | Collection | 0 | 1 | 0 | 0 | gap |
T1653 | Power Settings | Persistence | 0 | 1 | 1 | 0 | community |
Sources: technique IDs extracted from CIRCL MISP OSINT event info + tags (text regex; deprecated v6 IDs aliased to their v10 subtechnique forms), from hand-authored Sigma rule YAML tags, and from MITRE CTID KEV→ATT&CK mappings (CVE-to-technique, hand-curated by CTID). Community coverage counts SigmaHQ rules tagged with each technique (core, emerging-threats, and threat-hunting collections; compliance and deprecated rules excluded). A gap is a technique with live signal (MISP citations or KEV CVE mappings) and zero coverage from either SigmaHQ or thrunt. Techniques with zero signal are intentionally omitted — the corpus speaks where it has something to say.